Technical Field
This disclosure relates generally to security technologies, products and services.
Background of the Related Art
Two-factor authentication (also known as 2FA) is a technology that provides identification of users by combining two different components, such as something that the user knows (e.g., username, password, PIN), and something that the user possesses (USB stick with a secret token, a bank card, a key) or something that is inseparable from the user (e.g. a fingerprint, iris, voice, typing speed, pattern in key press intervals, etc.). If, in an authentication attempt, at least one of the components is missing or supplied incorrectly, the user's identity is not established and access to the resource being protected by two-factor authentication is denied. The something possessed by the user may be a mobile device itself.
A number of two-factor authentication schemes use a Time-based One-time Password (TOTP) scheme, as defined Internet RFC 6238. TOTP is an algorithm that computes a one-time password from a shared secret key and the current time. TOTP is an example of a hash-based message authentication code (HMAC). It combines a secret key with the current timestamp using a cryptographic hash function to generate a one-time password. The timestamp typically increases in 30-second intervals such that passwords generated close together in time from the same secret key are the same. In a typical two-factor authentication application, a user enters his private credential (e.g., username and password) into a website, generates a one-time password (OTP) for the site using TOTP running locally on a smartphone, and types the OTP into the server as well. The server runs the same TOTP algorithm to verify the one-time password entered. The approach requires that a single secret key be shared between the server and the user's device over a secure channel ahead of time.
While TOTP-based two factor authentication works well, to date the known solutions have been tied to individual sites and their associated mobile apps. This is cumbersome to configure and use in practice, as end users have to manually enter the TOTP code. This approach also requires the user to maintain a dedicated mobile app for each site that uses the authentication scheme.